Re: (ITS#6943) segfault in rwmmap in 2.4.25

In regard to: Re: (ITS#6943) segfault in rwmmap in 2.4.25, masarati@aero.po...:
>> We don't have any definition for apple-group-nestedgroup in any of the
>> schemas that I have loaded. It's not something we support. We're also
>> not doing any proxying. Note also that the search base it's using
>> (cn=groups,dc=ndsu,dc=nodak,dc=edu) isn't valid. So, it's some Apple
>> system on campus that someone has set up to query our LDAP tree, looking
>> for things that the Mac OS X expects to find, but that we don't have or
>> support.
>>
>> One thing that confuses me a little -- I set the rwm-rewriteContext to
>> "bindDN", which I perhaps incorrectly believed meant that rewriting would
>> only be done for authenticated binds (i.e. not anonymous binds), and
>> this client did not authenticate. I was under the mistaken impression
>> that
>> rwm shouldn't even be called in cases like this. I don't (currently) need
>> to
>> rewrite searches or results from searches, only the bind credentials, for
>> when we eventually enable support for ldap authentication.
>>
>> Does that answer your question? Would it be helpful to see either my
>> original slapd.conf or the slapd-config that results from the conversion?
>
> Yes, either would be useful. Thanks, p.
Here it is.
Thanks,
Tim
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#@
#@ TVM: this file is no longer used. All slapd configuration is done via
#@ the LDAP/LDIF-based slapd-config(5) backend, using commands like ldapadd,
#@ ldapmodify, etc.
#@
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#
#
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# TVM: changed all paths from /etc/openldap/schema to
# /etc/local/openldap/schema.
# TVM: prior slapd.conf files based on earlier distributions of openldap
# had fewer default schemas included (the config file we used with 2.3.24
# on RH4 loaded only core, cosine, inetorgperson, misc, and our custom
# ndusEduPerson.schema).
# For the install on RHEL5, I started with the stock slapd.conf from openldap
# 2.4.21 and then removed the ones I didn't think we needed, e.g. corba,
# duaconf, dyngroup, java, nis, ppolicy, and collective.
#
#include /etc/local/openldap/schema/corba.schema
include /etc/local/openldap/schema/core.schema
include /etc/local/openldap/schema/cosine.schema
#include /etc/local/openldap/schema/duaconf.schema
#include /etc/local/openldap/schema/dyngroup.schema
include /etc/local/openldap/schema/inetorgperson.schema
#include /etc/local/openldap/schema/java.schema
include /etc/local/openldap/schema/misc.schema
#include /etc/local/openldap/schema/nis.schema
include /etc/local/openldap/schema/openldap.schema
#include /etc/local/openldap/schema/ppolicy.schema
#include /etc/local/openldap/schema/collective.schema
#
# TVM: custom NDUS schema
#
include /etc/local/openldap/schema/ndusEduPerson.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#
# TVM: the sizelimit and timelimits we've historically used for slapd
#
sizelimit 150
timelimit 180
# Load dynamic backend modules:
# modulepath /usr/lib/openldap # or /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
#
# TVM: uncommented this, we need it for bindDN massaging
#
moduleload rwm.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/ldap.NoDak.edu.crt
TLSCertificateKeyFile /etc/pki/tls/certs/ldap.NoDak.edu.key
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#
# TVM: FIXME: for testing just require encryption for simple_bind
# TVM: this can't be enabled until Dale's code to populate LDAP is ready
# for it.
#security simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
# TVM: added NDUS access controls (Note: these were at the bottom of
# the older slapd.conf file before, now they're in an earlier section).
#
# I think we should seriously revisit these
#
access to filter=(cn=anonymous) attrs=cn,sn
by * none
#
# TVM: inserted this ACL between the two that have been present since
# the beginning. This is to try prevent userPassword: from showing up
# in ldapsearch output, but still allow it to be used for auth
#
access to attrs=userPassword
by anonymous auth
access to * by * read
#
# TVM: new with our OpenLDAP 2.4.x install: load the rwm overlay
# and add rules so that binds with the iid work.
#
overlay rwm
rwm-rewriteEngine on
# define a rewriteMap function that returns the dn for a particular attr
# This is straight out of the first bindDN example in slapo-rwm(5)
rwm-rewriteMap ldap attr2dn "ldap://localhost/dc=nodak,dc=edu?dn?sub&quot;
rwm-rewriteContext bindDN
# and now the magic: parse out the IID and pass it to the attr2dn function.
# This is also almost exactly taken from slapo-rwm(5), though I'm using iid
# instead of mail and I'm not anchoring the regex and using $1, so it doesn't
# matter if it's qualified or not.
rwm-rewriteRule "^(iid=[^, ]+).*" "${attr2dn($1)}" ":@I"
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database hdb
suffix "dc=nodak,dc=edu"
checkpoint 1024 15
#
# TVM: I added these settings as part of the migration to 2.4.x.
# These are pure guesses. If memory is still available, we should
# probably increase both. Note section 21.4.3 of the guide, that indicates
# the idlcachesize should match cachesize when using bdb, but it should
# be 3*cachesize for hdb, which doesn't really make a lot
# of sense to me, but oh well... See slapd-bdb for more info
#
cachesize 2048
idlcachesize 6144
#
# TVM: using System V shared memory is much faster for recent versions of
# the Linux kernel than using mmap(2) files, so we'll give it a try.
#
# shm_key can be anything, it just identifies a shared memory segment that
# BDB can use for its shared memory regions.
#
shm_key 41
rootdn "cn=Someone Hidden, dc=ndsu, dc=nodak, dc=edu"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SHA}ceHixPjpYAryAobGXZyzztpweto=
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap/data-1
#
# Indices to maintain for this database
#
# TVM: with openldap 2.3.24 on RHEL4 we just commented all of these out and
# added our own, some of which exactly duplicated these. I'll keep the first
# two index lines and comment out the next three, then supplment with ours.
#
# Also, previously we maintained a presence (pres) index on *every* one of
# these. Section 21.2.3 of the OpenLDAP admin guide makes it very clear
# that presence indexing is almost always a bad idea. With that in mind,
# I've removed presence indexing from all of these.
#
index objectClass eq
index ou,cn,mail,surname,givenname eq,sub
#index uidNumber,gidNumber,loginShell eq
#index uid,memberUid eq,sub
#index nisMapName,nisMapEntry eq,sub
#
# TVM: added indexes on all of these.
#
index mailLocalAddress,mailRoutingAddress,nid eq
index iid,uid,services eq,sub
index class,college,major eq,sub
index group,department,institution,title eq,sub
index physicalDeliveryOfficeName,telephoneNumber eq,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
#
# TVM: this is new with 2.4.x, we'll leave it enabled, see chapter 20 of
# the admin guide.
#
# enable monitoring
database monitor
rootdn "cn=Someone Hidden, dc=ndsu, dc=nodak, dc=edu"
# allow only rootdn to read the monitor
access to *
by * none